asp.net viewstate加密 [英] asp.net viewstate encryption

问题描述

我有几个问题，关于在asp.net 3.5中加密viewstate的时间和方式。
例如，如果我的web.config中有一个machinekey条目，如：

decryptKey =AutoGenerate，IsolateApps
validation =AES
decrypt = Auto/>

此时是否加密视图状态？或者我还需要在页面部分中指定viewStateEncryptionMode？

另外，是否可以加密一个表单验证cookie，但是不能同时加密viewstate？ / p>

感谢任何帮助。

解决方案

页面上的控件可以请求加密用于ViewState，但即使这个请求可以被页面设置覆盖。

ViewStateEncryptionMode枚举有三个值：Auto，Always和Never。默认值为Auto。

ViewStateEncryptionMode.Auto

在此模式下，如果页面上的任何控件请求，ASP.NET将加密ViewState的页面。请注意，这意味着所有的ViewState都是加密的，而不仅仅是对请求它的控件的ViewState。与加密相关的性能成本的很大一部分在于开销。所以加密整个ViewState比执行单独的加密操作要快一些。

ViewStateEncryptionMode.Never

正如你所料，ASP.NET将不会对ViewState进行加密，即使应用程序设置为加密，页面上的控件已经请求。如果您知道页面中涉及的数据不需要加密，那么将模式设置为从不可能是安全的。然而，在这一点上，有关控件的文档很少披露ViewState中保存的内容，因此如果有机会暴露敏感数据，则需要小心。

ViewStateEncryptionMode.Always

在此模式下，ASP.NET不等待页面中的控件请求加密。 ViewState始终加密。使用敏感数据时，使用加密是个好习惯。

资料来源： http://msdn.microsoft.com/en-us/library/aa479501.aspx

I have a few questions about when and how viewstate is encrypted in asp.net 3.5. For instance, if I have a machinekey entry in my web.config like: decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />

Is viewstate encrypted at this point? Or do I need to specify the viewStateEncryptionMode in the page section also?

Also, is it possible to encrypt a formsauthentication cookie, but not encrypt viewstate at the same time?

Thanks for any help.

解决方案

The controls on the page can request that encryption be used for the ViewState, but even this request can be overridden by the page setting.

The ViewStateEncryptionMode enumeration has three values: Auto, Always, and Never. The default value is Auto.

ViewStateEncryptionMode.Auto

In this mode, ASP.NET will encrypt the ViewState for a page if any control on the page requests it. Note that this means all of the ViewState is encrypted, not just the ViewState for the control that requests it. A large part of the performance cost associated with encryption is in the overhead. So encrypting the whole ViewState is faster than doing separate encryption operations if more than one control makes the request.

ViewStateEncryptionMode.Never

As you would expect, in this mode ASP.NET will not encrypt the ViewState, even if the application is set for encryption and controls on the page have requested it. If you know that no data involved in the page needs to be encrypted, then it may be safe to set the mode to Never. However, at this point it is rare for the documentation about a control to disclose what is being saved in ViewState, so you will want to be careful if there is a chance that sensitive data could be exposed.

ViewStateEncryptionMode.Always

In this mode, ASP.NET does not wait for a control in the page to request encryption. ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption.

Source: http://msdn.microsoft.com/en-us/library/aa479501.aspx

这篇关于asp.net viewstate加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！